Openvpn Tunnelblick



On This Page
Release Downloads
Verifying Downloads
User Contributions
Download Integrity
Downloading and Installing on macOS Mojave and Higher

Release Downloads

To be notified of new releases, use Tunnelblick's built-in update mechanism or subscribe to the Tunnelblick Announce Mailing List.

Beta versions are suitable for many users. See Stable vs. Beta for details.

As a Free Software project, Tunnelblick puts its users first. There are no ads, no affiliate marketers, no tracking — we don't even keep logs of your IP address or other information. We just supply open technology for fast, easy, private, and secure control of VPNs.

BetaTunnelblick 3.8.6beta03(build 5700, macOS 10.10+, (mixed Intel-64, M1), notarized) released 2021-04-22 Release Notes
SHA1: 24787eb0a1b3f0692cba8f4d27ed2b00a64867a6 MD5: c77747cceeddd8c14794a893eed15c2c
SHA256: de0f6d24cbc45650c1789f6963f7b454099e6cd9a00ec067178977614415d256
GnuPG v2 signature
StableTunnelblick 3.8.5a(build 5671, macOS 10.10+, (mixed Intel-64, M1), notarized) released 2021-04-21 Release Notes
SHA1: 9e6bb2717f0924fdf2fed306fe40837170b2d1ba MD5: ecaad1485e2691343ecb2c6ade161cbd
SHA256: 88f8cd776bf237a8b1c72531cf44bf7440e3bb4f94b16a77747351014c2de3a7
GnuPG v2 signature
OlderSee the Deprecated Downloads page. Includes versions for OS X 10.4 - 10.7.4.
UninstallerThe Tunnelblick Uninstaller has been replaced by an 'Uninstall' button on the 'Utilities' panel of Tunnelblick's 'VPN Details' window as of Tunnelblick 3.8.5beta02.
Please read Uninstalling Tunnelblick before using Tunnelblick Uninstaller.
Tunnelblick Uninstaller 1.12(build 5090, macOS and OS X 10.7.5+, Intel-64 only, works on M1 using Rosetta) released 2018-06-26 Release Notes
SHA1: c4503360e032877e1ab0c2742872250c646ba983 MD5: 0b8c3f0898ca88f4bbe90fe61271d7ab
SHA256: 62b528da3212fd78146c6bcf03d88f4f8653845068b61f4f62029a3af791ef42
GnuPG v2 signature

Verifying Downloads

You should verify all downloads. Even though https:, the .dmg format, and the application's macOS digital signature provide some protection, they can be circumvented.

Verifying Hashes

Comparing the SHA256, SHA1, and MD5 hashes of your downloaded file with the official published ones will provide additional assurance that the download is legitimate and has not been modified. You can compare the hashes with programs included with macOS without the need to install additional software.

To compute the hashes of a file you've downloaded, type the following into /Applications/Utilities/Terminal:

shasum -a 256path-to-the-file
openssl sha1path-to-the-file
openssl md5path-to-the-file

Then compare the computed hashes with the values shown near the link for the downloaded file.

(Don't type 'path-to-the-file' — type the path to the file, that is, the sequence of folders that contain the file plus the file name (e.g. /Users/janedoe/Desktop/Tunnelblick_3.7.2a_build_4851.dmg). An easy way to get it into Terminal is to drag/drop the file anywhere in the Terminal window. The pointer will turn into a green and white plus sign ('+') to indicate the path will be dropped. So you would type 'shasum -a 256 ' — with a space after the '256' — and then drag/drop the disk image file anywhere in the Terminal window.)

For additional assurance that the hashes displayed on this site have not been compromised, the hashes are also available in the description of each 'Release' on Tunnelblick's GitHub site, which is hosted and administered separately from this site.

Verifying GnuPG Signatures

Recent Tunnelblick disk images are also signed with GnuPG version 2.

To prepare for verifying signatures, you should download and install GnuPG 2.2.3 or higher, and then add the Tunnelblick Security GnuPG public key (key ID 6BB9367E, fingerprint 76DF 975A 1C56 4277 4FB0 9868 FF5F D80E 6BB9 367E) to your trusted GnuPG keyring by typing the following into /Applications/Utilities/Terminal:

gpg --import TunnelblickSecurityPublicKey.asc.

To verify the signature of a file, download the corresponding signature file and then type the following into /Applications/Utilities/Terminal:

gpg --verify path-to-the-signature-filepath-to-the-disk-image-file

The result should be similar to the following:

gpg: Signature made Sat Dec 16 19:17:03 2017 EST
gpg: using RSA key B4D96F0D6A58E335A0F4923A2FF3A2B2DC6FD12C
gpg: Good signature from 'Tunnelblick Security <tunnelblicksecurity@protonmail.com>' [ultimate]

User Contributions

These downloads have been contributed by users and usually help deal with special circumstances. They are not endorsed or checked by the Tunnelblick project, and you use them at your own risk. To contribute a download, send it to the developers or post it on the Tunnelblick Discussion Group.

Before using these scripts, please read Tunnelblick and VPNs: Privacy and Security. (Actually, everyone using a VPN should read that!)

Note: these scripts are executed as root.Instructions for using scripts.

Scripts to Unload Cisco Tun Kext: user-contributed-001-pre-post.zip
SHA1: d3b09a2284de2862be7d55059581a85698930b28 MD5: f6f484864697607ee5c7206a5b056b12
Contributed by 'petiepooo'.
These scripts unload the Cisco AnyConnect tun kext before a Tunnelblick connection is started, and reload the Cisco tun kext after a Tunnelblick connection is stopped. (The Cisco kext interferes with Tunnelblick's operation of tun connections.)
Scripts to Mount/Unmount a Volume: user-contributed-002-mount-unmount-volume.zip
SHA1: eb69727620fa8c46633d9ccf9f86c4b258fea7e6 MD5: 5b3b04bea43403b2a709aaa4c92d7473
Contributed by John Griffis.
These scripts mount a volume after a configuration is connected and unmount it when the configuration is disconnected. Scripts must be edited before use (in any plain-text editor) to specify details of the volume to be connected. For a note about connecting to a CIFS account, see this discussion.
Scripts to Monitor Connection Time and Bandwidth Use: user-contributed-003-monitor-uptime-and-bandwidth.zip
SHA1: 384b370967e722eacb2f3a782e8c326d87174003 MD5: 2c23ed5c31a1238843fb5ea36fd5dd74
Contributed by 'vkapovit'.
These scripts provide a mechanism for the user to be alerted when the VPN has been up for more than 20 minutes or when bandwidth has exceeded 100MB. See this discussion for details. Requires Growl.
Includes compiled binaries; use at your own risk.
Scripts to Launch and Kill a Program: user-contributed-004-launch-kill-program.zip
SHA1: 977aa7cc55f3e191b50057fe766c426af01808eb MD5: beccc55286b398fe0a8bcb798e25a883
Contributed by 'anonymous'.
These scripts cause a program to be launched when a VPN is connected and then killed when the VPN is disconnected. It can be used with a torrent program, for example, so that the program is only active when the VPN is connected.
Note that there may be a short time after the VPN has been disconnected before the program is killed.

Download Integrity

In June 2015 there was much discussion (and outrage) about SourceForge providing downloads that contain unwanted or malicious software; SourceForge has changed their policies to help avoid this. Tunnelblick binaries were hosted on SourceForge from the fall of 2013, when Google Code stopped hosting new binaries, until 2015-07-17, when they were moved from SourceForge to GitHub.

Tunnelblick protects against unwanted software insertions by publishing the SHA1 and MD5 hashes for each of our downloads. You should verify the hashes of all Tunnelblick downloads by following the instructions above.

Additional safeguards automatically protect updates performed by Tunnelblick's built-in update mechanism:

  • Updates are controlled by tunnelblick.net and all update data is transported via https:
  • Update downloads contain digital signatures to verify they have not been modified. (This is in addition to the macOS digital signature of the Tunnelblick application itself.) See Digital Signatures.

Downloading and Installing on macOS Mojave and Higher

When you install any application, including Tunnelblick, after it has been downloaded normally, macOS Mojave and higher send information to Apple (they 'phone home'). macOS Catalina and higher also 'phone home' each time you launch any application, including Tunnelblick.

These behaviors are considered by some to be a violation of privacy.

You can avoid these behaviors, but you will be disabling security checks which macOS would normally do on a downloaded program, including checks that the program is correctly notarized and has been found to not contain malware.

To avoid having macOS Mojave and higher 'phone home' when you install Tunnelblick, you can do the following to download Tunnelblick to your Desktop:

  1. Open the Terminal application located in /Applications/Utilities.
  2. Type (or copy/paste) 'curl --output ~/Desktop/Tunnelblick.dmg --location ' into Terminal without the quotation marks (the space after '--location' is important).
  3. In your browser, instead of clicking on the link to download Tunnelblick, Control-click the link and select 'Copy Link' (Safari), 'Copy Link Location' (Firefox), or 'Copy Link Address' (Chrome).
  4. Click in the Terminal window to select it for input, then Paste (Command-V). A URL starting with https://tunnelblick.net/release/ should appear after the '.dmg '.
  5. Press the enter/return key on the keyboard.
  6. You will see two or more progress bars showing the timing of downloads [1].
  7. Verify the download.
  8. Double-click the downloaded Tunnelblick disk image file on your Desktop to open the Tunnelblick disk image, then double-click the Tunnelblick icon in the window that appears to install Tunnelblick.

This will download the file to your Desktop without the flag that indicates the file was downloaded from the Internet. When that flag is present, macOS Mojave and higher 'phone home' when the downloaded file is double-clicked to install it; when the flag is not present, macOS Mojave doesn't.

To avoid having macOS Catalina and higher 'phone home' when you launch Tunnelblick (or other applications), see How to run apps in private.

[1] Tunnelblick downloads are redirected from the tunnelblick.net website to GitHub, which may redirect them further. Typically one or more tiny downloads (a few hundred bytes each) provide information about the redirection, and the final larger download is the desired file.

OpenvpnOpenvpn tunnelblick free

Tunnelblick Openvpn Certificate

Mac openvpn tunnelblick

Openvpn Tunnelblick Client

Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

On This Page
If OpenVPN is connected to the server but you can't access the Internet
How to check your DNS settings
How to use a different DNS server
Use a different DNS server whether or not a VPN is active
Use a different DNS server only when the VPN is active
If OpenVPN is connected to the server but your IP address does not change
How to test your IP address

Troubleshooting this problem could be very simple: try connecting the VPN with and without 'Set nameserver' selected. If one way or the other solves your problem, you're done!

OpenVPN is such a powerful tool with so many options, and computer configurations are so varied, that it is impossible to have an exhaustive troubleshooting guide. This guide is meant for the most common setups, so if it doesn't apply to your situation, or doesn't help, see the Support page for guidance.

This page assumes that you are successfully connected to a VPN server. If not, or if you aren't sure, look at Common Problems.

If OpenVPN is connected to the server but you can't access the Internet

After connecting, if you can't reach the Internet, it's likely that your setup has

  • A DNS problem and/or
  • A routing problem and/or
  • A problem with the VPN server

Tunnelblick includes the ability to diagnose some DNS problems and will warn you about some common configuration problems.

Check for a DNS problem:
If OpenVPN connected to the server properly, but you are having trouble connecting to websites, the first thing to find out is if there is a DNS problem. To check that, try to access a website by using its IP address instead of its name. If the IP address works, but the name doesn't, there is a DNS problem. (Consider the IP address to be 'working' if any of the webpage loads.)

If you don't have a DNS problem then there is something else going on. See the Support page for guidance.

If you have a DNS problem:

  1. See if your network settings manually specify a DNS server. If they do, that server will be used even when the VPN is active unless you put a check in 'Allow changes to manually-set network settings' on Tunnelblick's 'Advanced' settings page. If the manual DNS server is your ISP's DNS server, it is probably set up to ignore queries that come from outside the network. When you are connected to the VPN, your queries come from the VPN server, which is probably outside the ISP's network, so the ISP's DNS server will ignore your request. You should set up your computer to use a free public DNS server (see How to use a different DNS server, below) while the VPN is active.

  2. If your DNS settings are specified by DHCP, check your DNS settings both before you connect to the VPN and while you are connected.
    • If the DNS settings are the same, try setting up your computer to use a free public DNS server (see How to use a different DNS server, below).
    • If the DNS settings are different, the VPN is using a DNS server specified by the VPN setup. Contact the person who maintains your VPN server to find out why that DNS server is not functioning properly.

How to check your DNS settings

  1. Launch System Preferences,
  2. Click 'Network'
    Your DNS server list is one of the entries on the right. It is a list of IP addresses, separated by commas. macOS will use the first one unless it fails to respond to requests, in which case it will try the second, then the third, etc.

Note: If the DNS server list is dimmed (grayed out), it was set via DHCP, not manually.

How to use a different DNS server

There are two ways to set up a different DNS server:

Use a different DNS server whether or not a VPN is active

You can set your computer up to use a different DNS server all the time. Google Public DNS is free, and OpenDNS has a free version. There are lots of others. To use such a DNS server all the time (whether or not a VPN is connected):

  1. Launch System Preferences,
  2. Click 'Network'
  3. Copy/paste the following '8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220' (without the quotation marks) into the box to the right of 'DNS Server'

This will set up your computer to always (whether or not you are connected to the VPN) use two Google DNS servers and two OpenDNS servers (in that order). Substitute the addresses for the DNS provider of your choice if you want.

Use a different DNS server only when the VPN is active

Note: This will only work if you specify 'Set nameserver' in Tunnelblick's settings for the configuration.

Add a line to your OpenVPN configuration file for each DNS server: 'dhcp-option DNSaddress' (substitute the DNS server's IP address for address). (To add two servers, add two lines to the OpenVPN configuration file, one for each server.)

If OpenVPN is connected to the server but your IP address does not change

If you have a check in the 'Check if the apparent public IP address changed after connecting' checkbox on the 'Settings' tab of Tunnelblick's 'VPN Details' window, and your IP address doesn't change after connecting, a window will pop up to notify you.

If OpenVPN connects to the server properly but your IP address does not change, your OpenVPN setup needs to include the '--redirect-gateway' option. By default, OpenVPN only sends some traffic through the VPN — traffic that is specifically destined for the VPN network itself. The '--redirect-gateway' option tells OpenVPN to send all IPv4 traffic through the VPN.

There are three ways the option can be added; you need only use one:

  • Put a check in the 'Route all Ipv4 traffic through the VPN' checkbox on the 'Settings' tab of Tunnelblick's 'VPN Details' window.
  • Add this: redirect-gateway def1 as a separate line in your client's OpenVPN configuration file.
  • Add this: push 'redirect-gateway def1' as a separate line in your server's OpenVPN configuration file.

(The '--' at the start of an OpenVPN option is omitted when the option appears in a configuration file.)

How to test your IP address

You can find out what IP address your computer is using by going to https://tunnelblick.net/ipinfo.

The first number shown is your apparent public IP address:

Note: tunnelblick.net does not use Javascript, other client-side scripting, plugins, trackers, beacons, or web bugs, and it does not carry advertising. It does not store cookies or any other data on your computer (except as noted in the tunnelblick.net privacy policy).

If you have checked 'Check if the apparent public IP address changed after connecting', the IP address will be displayed in the Tunnelblick menu while you are connected:

Mac Openvpn Tunnelblick

VPN configurations to the Tunnelblick application which is what the alert is about. 7.)After running the Tunnelblick application you will see it added to your menu bar. Click on the Tunnelblick icon and select “ASUVPN Student” from the options provided. We would like to show you a description here but the site won’t allow us. Tunnelblick is a free, open-source VPN interface that allows you to connect to our network via the OpenVPN protocol. Watch this video to see how to set up OpenVPN on macOS with Tunnelblick, or continue reading for detailed instructions.